cbcvebase.
CVE-2017-16543
published 2017-11-05

CVE-2017-16543: Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or…

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.56%
91.9th percentile
Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_applications_manager

Detection & IOCsextracted from sources · hover to see the quote

url/GraphicalView.do
url/GraphicalView.do?
url/GraphicalView.do
commandmethod=saveBusinessViewPropsForADDM
cookieJSESSIONID_APM_9090
port9090
  • Detect POST requests to /GraphicalView.do with method=saveBusinessViewPropsForADDM containing a viewProps parameter with a yCanvas field — the yCanvas value is the SQL injection point.
  • Detect POST requests to /manageApplications.do?method=insert with a crafted name= parameter as an additional SQL injection vector in the same application.
  • The exploit uses X-Requested-With: XMLHttpRequest header on requests to /GraphicalView.do — correlate this with anomalous SQL payloads in POST body to reduce false positives.
  • These are post-authentication SQL injection vulnerabilities; presence of a valid JSESSIONID_APM_9090 cookie alongside injection payloads indicates an authenticated attacker or stolen session.
  • ·Vulnerabilities are post-authentication only; exploitation requires a valid authenticated session (JSESSIONID_APM_9090 cookie). Unauthenticated access alone is not sufficient.
  • ·Affected versions are ManageEngine Applications Manager 13 builds prior to 13500 only. Build 13500 and later are patched.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.